1. Field of the Invention
The present invention relates to a device for detecting a device infected with a worm via a network.
2. Description of the Related Art
Recently, with the spread of networks using an IP technology, a lot of convenient services (such as email, audio and video real-time distribution, mutual communication between a PC and a fixed network using the Internet, mutual connection between a cellular phone and a PC and the like) have been increasingly provided for users.
Accordingly, the devices which compose the network and provide these services and functions are installed with functions realized by more various software than ever. In order to realize a variety of functions while maintaining compatibility, a network must be built using devices configured so as to conform to a specific standard instead of devices configured according to a specification peculiar to each maker. In this case, since the configurations of devices constituting a network are common, the devices have the same disadvantages. When they are attacked by a network attacker, there is a possibility that all the devices may be similarly attacked. More particularly, a worm attack aiming at the fragility of software installed in a device is highly concerned.
If a network component is infected with a worm, a maintenance personnel examines the following items, analyzes them and determines whether the device is infected with a worm.                Claims from users: Access delay, reception of abnormal data, virus infection and the like.        Network traffic observation results: Rapid traffic increase/decrease.        Monitor of network components: Rapid change in processibility of components, rapid decrease of available memory capacity.        
If it is determined that a component is infected, its service is stopped in order to minimize the spread of the damage, and an infected component is manually specified.
Therefore, it takes a lot of time and labors to complete its treatment and it incurs the increase of a maintenance cost. Simultaneously, it greatly damages the benefits of users. Furthermore, if fragility is detected in a network operation system, there is a possibility that the reliability of the network business may be lost and the business must be withdrawn.
VoIP and IP Centrex services utilizing a current SIP (session initiation protocol) technology and further a move to incorporate a cellular phone using IMS (IP multimedia subsystem), a wireless LAN, a broadband, a PSTN (public switched telephone network) are also being activated.
There is a strong tendency that a general-purpose product is used for equipment constituting such a network in order to build such a network at a low cost and in a short time and that general-purpose software is also used for software controlling services. Software fragility is predicted to increase compared with the conventional network, and it is also anticipated that software is infected with a worm which attacks its fragility. The influence of its infection will be great for users compared with the conventional network.
Since additional services can be realized by further linking networks, it is anticipated that unique highly public networks (for police, fire fighter, ship, employment agency, etc.) which had been realized using unique devices and software are also damaged.
Furthermore, since a variety of networks are incorporated, it is predicted to take more time compared with the conventional case to specify an infected device. In some case, there will be worm infection about which no user claims.
Such a situation causes the following problems.    Problem 1: Worm infection must be early detected and treated.    Problem 2: If an infected device is specified, the device must be prevented to be used as soon as possible in order to minimize the spread of damage.    Problem 3: Since its influence on highly public police, fire fighter and ship networks easily relates to a human life, such services must be re-started as soon as possible.
Generally, it is anticipated that worm infection is caused by an illegal access by an infected server, or an attack to fragile software, based on the publication of fragile information as a trigger. However, in addition to it, it is also anticipated that it attacks the fragility of a network operation procedures.
Specifically, the following infection forms are considered.
(1) Infection from Maintenance Terminal
A maintenance terminal is infected with some virus or a malicious maintenance personnel intentionally transmits a virus. Then, the terminal is connected to a network, and the infection spreads via a maintenance protocol, such as an FTP, a SNMP, etc.
(2) Infection Due to the Malicious Use of Call Setting Protocol
Virus software is stored in the option setting of a protocol, and the software is transmitted to a server. Upon receipt of the software, the server is infected with the virus when analyzing its contents.
If a device is infected with the virus thus, the following influences can be considered.
1. In the Case where Service Control Software is Infected
    (1) It is anticipated that the virus software itself activates based on the processing unit with an infected fragile part. Therefore, it is anticipated that an operation becomes the one which falsifies a process to be operated and is activated prior to the infected software. Thus, since a lot of unmanaged processes are generated in a device and a lot of memory is used in the device, it is expected that its control memory is exhausted, its performance degrades and an abnormal process request is issued to outside the device.    (2) It is anticipated that the virus software activates a process start request regardless of the state of a destination of the request. Although in the regular termination, generally the state of the destination is checked and a useless call setting is suppressed, in the virus software aiming to affect the system, communication goes on regardless of the state of the destination. Therefore, the communication performance of the user device degrades and the device is knocked down.    (3) Notification of a service start request to unspecified number of users
The unspecified number of users are activated using the following mechanism.    (a) Phone numbers are mechanically generated (for example, in ascending order from a subscriber number 0000) and calls are originated.    (b) Calls are consecutively originated to a learned specific phone number.    (c) If a lot of calls are originated at random, there is a possibility that the communication of a user using a service is disturbed (disconnected) or that the entire network enters into a congestion state due to the congestion of related devices triggered by the congestion of an infected device and the spread of the influence.    (4) The virus software generates false origination information and attempts to terminate calls many specified/unspecified subscribers. Therefore, disguise, the paralysis of highly urgent service, such as a police service, a fire fighter service, a shipping service, etc., and the like are caused.    (5) No process requests can be received from outside due to the virus software. Therefore, service for users are temporarily stopped or no highly urgent request can be issued.2. In the Case where Maintenance Control Software is Infected    (1) There is a possibility that the virus software disguises itself as a maintenance command, generates a command image, disguises to input a lot of commands, exhausts system resources and disturbs the input of a normal command. There is a possibility that it disguises the management number and port number of the maintenance terminal in its internal process.    (2) The virus software can freely copy an inputted command and execute it a plurality of times at one time to disturb the maintenance operation. Furthermore, it is also anticipated that it continues to independently perform a process, according to the copied information. In the case of an IP-related command, it is also anticipated that the server is disconnected from the network. If the process is consecutively performed, a normal maintenance request cannot be received. In that case, the maintenance function is congested and an important system notice is not delivered to the maintenance personnel to stop the maintenance work.    (3) It is anticipated that when an inputted command is converted into an internal expression, the virus software abnormally terminates the inputted command by abnormally converting it to disturb the maintenance operation.    (4) In order that the virus software confuses the maintenance, it is anticipated to issues a lot of alarms.
Reference 1 discloses a prior art for detecting the occurrence of such a worm or virus. Reference 1 discloses a technology for detecting the possibility of the virus occurrence by detecting the use of a normally unused exceptional port, the generation of an incomplete packet, the abnormal increase of the amount of communication, the abnormal increase of the amount of errors and the like.
Reference 1: Japanese Patent Application Publication No. 2003-241989
However, in the conventional worm/virus occurrence detecting method, the worm/virus occurrence can be detected only after a virus conducts communication via a network and a failure occurs.